Authorization and Access Control

Total Page:16

File Type:pdf, Size:1020Kb

Authorization and Access Control C H A P T E R 1 8 Authorization and Access Control Thank you for reviewing the Whistler Server Resource Kit documentation. Post your feedback at the microsoft.betanews account under the microsoft.beta.whistler.documentation newsgroup using the following steps: 1. Create a new newsgroup message. 2. Use the title of the chapter as the subject line of your message. 3. Put your comments in the message, clearly identifying page number and changes to the text. You can also send the chapter with your comments to [email protected]. © 1985-2001 Microsoft Corporation. All rights reserved. The Microsoft Whistler operating system includes a number of features that you can use to protect selected files, applications, and other resources from unauthorized use. These features, which include Access Control Lists, security groups, and Group Policy, along with the tools that allow you to configure and manage these features, provide a powerful, yet flexible access control infrastructure for your network. Understanding what these features are, why they are necessary, and how they function will help you to manage privileges and permissions on network and local resources more effectively. In This Chapter Overview of Access Control User Accounts and Security Groups Working With Access Control Lists Managing User Rights through Security Groups Using Security Policy Auditing and Evaluating Access Control Related Information in the Resource Kits For more information about the authentication process and how security contexts are created, see "Logon and Authentication" in this book. For more information about authorization in Active Directory environments, see "Authorization and Access Control" in the Distributed Services Guide of the Microsoft Whistler Server Resource Kit. Overview of Access Control Every user and computer has a specific role and purpose in an organization. In order to accomplish their goals, each user and computer must be able to access certain resources and perform specific tasks. However, allowing users and computers unlimited access to system and network resources and functionality can compromise an organization's security and stability. Whistler's access control infrastructure functions to balance the resource access and system security needs of an organization. For example, Alice works in Accounting and needs to be able to view — but not create or modify — certain Personnel Department files that are off limits to other users in the organization. The Personnel department, which controls these files, has used access control to define which users can have Read-only access to Personnel files, which users can have Write and Modify access, and which users have no access to the Personnel share. Alice has been given Read-only access to the Personnel files. At the same time, IT has determined that prohibiting users such as Alice from making significant changes to their systems can reduce costs and improve security and supportability. IT has made Alice and other users members of the Users group, thus limiting their ability to install applications and reconfigure their operating system environments. In this way, Alice has the access to resources that she needs, and the security of the organization is maintained. Key Terms In order to understand the basic principles of access control, it is important to understand how the following key terms are defined in the context of the access control model for Windows 2000 and Whistler. Security principal. A user, group, computer, or service. Security principals have accounts. Local accounts are managed by the Security Accounts Manager (SAM) on the computer. If the account is in a native Windows 2000 or Whistler domain, it is managed by Active Directory. If the account is in a Windows NT 4.0 domain, it is managed by a SAM database on the domain controller. Security identifier (SID). A value that uniquely identifies a user, group, service, or computer account within an enterprise. Every account is issued a SID when it is created. Access control mechanisms in Windows 2000 and Whistler identify security principals by SID rather than by name. Security context. Information that describes a particular security principal's identity and capabilities on a computer. In Windows 2000 and Whistler, all users in an organization exist in a specific security context that is reestablished every time they log on. All activities, such as installing or running applications, take place in this security context. The security subsystem uses the security context to determine what a process and its threads of execution can do to objects on the computer, and who will be held accountable for what they have done. Access token. A data structure containing the SID for a security principal, SIDs for the groups that the security principal belongs to, and a list of the security principal's rights on the local computer. An access token is created for every security principal that logs on locally at the computer's keyboard or remotely through a network connection. The access token provides a security context for the security principal's actions on the computer. It also provides a security context for any application threads that act on the security principal's behalf. Object. Any resource that can be manipulated by a program or process. Objects include resources that you can see through the user interface, such as files, folders, printers, registry keys, Active Directory objects, and the Windows desktop. They also include resources that you cannot see, such as sessions, processes, threads, and access tokens. An object can function as a logical container for other objects. Inheritance. A mechanism for propagating access control information down through a tree of objects. In Windows NT, an object (such as a file) inherits access control information from its parent object (such as a folder) only when the object is first created. In Windows 2000 and Whistler, objects inherit access control information not only when they are created, but also when the parent object's access control list changes. Owner. The only security principal who has an inherent right to allow or deny permission to access an object. An object's owner can give another security principal permission to take ownership. By default, the built-in Administrators group on a computer is assigned a user right that allows this group to take ownership of all objects on the computer. Security groups. Groups that can be used to organize users and domain objects, thus simplifying administration. Security groups allow you to assign the same security permissions to a large numbers of users, such as employees in a single department or in a single location, ensuring that security permissions are consistent across all members of a group. Security descriptor. A data structure containing the security information associated with a securable object. A security descriptor identifies an object's owner by SID. If permissions are configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the users and groups that are allowed or denied access. If auditing is configured for the object, its security descriptor also contains a system access control list (SACL) that controls how the security subsystem audits attempts to access the object. Access control list (ACL). An ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties. Each ACE identifies a security principal and specifies a set of access rights allowed, denied, or audited for that security principal. Security settings. Security configuration settings that can be applied to individual computers. These settings can be configured locally on the computer using the Local Security Policy administration tool, the Security Configuration and Analysis snap-in to the Microsoft Management Console (MMC), or, if the computer is a member of an Active Directory domain, through the Security Settings extension to Group Policy. Key Concepts The security systems in Windows 2000 and Whistler are based on technologies originally developed for Windows NT. The access control models in Windows NT, Windows 2000, and Whistler share the same key concepts and characteristics, which are described in the following sections. Discretionary access to securable objects The user who owns an object has ultimate control over who has permission to use it and in what way. An object's owner can give permission for different kinds of access to particular users or groups of users. For example, the owner of a file object can give Read and Write permission to all members of one group while denying Write access to members of another group. In Windows 2000 and Whistler, owners can Allow or Deny other users access to individual properties of certain types of objects as well as to the entire object. The properties that can be delegated include the ability to Allow or Deny other users access to the object. Inheritance of permissions You can control permissions for new objects created in a container object by setting inheritable permissions on the container. The permissions that you set on a container are inherited by existing objects in the container, as well as by newly created objects. For example, the permissions that are set on an NTFS folder are inherited by new subfolders and files created within the folder. Auditing of system events You can use the auditing feature to detect attempts to circumvent protections on resources or to create an audit trail of administrative actions on the system. For example, you can audit failed attempts to open a file. You can also set security policy so that failed logon attempts are recorded in the security event log. If another administrator changes the auditing policy so that failed logon attempts are no longer audited, the log can record this event as well. In Windows 2000 and Whistler, you can use Group Policy to centrally control who is allowed to manage security logs on computers joined to a domain.
Recommended publications
  • Microsoft Windows 95 Reviewer’S Guide
    1 CHAPTER 10 Systems Management Windows 95 is the first version of Windows expressly designed for manageability. The design ensures that management of the Windows 95 PC is accessible both locally and remotely via a privileged network manager. Network security is used to determine administrator-privileged accounts using pass-through security. Windows 95 also provides for PC users to be logically separated from the underlying configuration of their PCs so that the PC and user configurations and privileges can be managed independently. As a result, network managers can allow users to “rove” on the network—that is, log on from virtually any PC on the network and then operate from a desktop that has the correct settings and network privileges. The logical separation also means that a single PC can be shared by multiple users, each with a different desktop configuration and different network privileges. Given the proliferation of PCs connected to corporate networks, the Windows 95 PC must be able to participate in any network-wide management schemes. Windows 95 is designed to meet various network management criteria by providing built-in support for several of the key network management standards. With this infrastructure built into Windows 95, network management applications will be able to provide tools for network managers to keep PCs and networks running more efficiently and cost effectively. Open management interfaces are key to the management implementation in Windows 95. Where a standard exists, Windows 95 implements an enabling technology to embrace the standard—for example, an SNMP agent is supplied to enable remote management of Windows 95 PCs via any number of third-party SNMP consoles.
    [Show full text]
  • Hacks, Cracks, and Crime: an Examination of the Subculture and Social Organization of Computer Hackers Thomas Jeffrey Holt University of Missouri-St
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by University of Missouri, St. Louis University of Missouri, St. Louis IRL @ UMSL Dissertations UMSL Graduate Works 11-22-2005 Hacks, Cracks, and Crime: An Examination of the Subculture and Social Organization of Computer Hackers Thomas Jeffrey Holt University of Missouri-St. Louis, [email protected] Follow this and additional works at: https://irl.umsl.edu/dissertation Part of the Criminology and Criminal Justice Commons Recommended Citation Holt, Thomas Jeffrey, "Hacks, Cracks, and Crime: An Examination of the Subculture and Social Organization of Computer Hackers" (2005). Dissertations. 616. https://irl.umsl.edu/dissertation/616 This Dissertation is brought to you for free and open access by the UMSL Graduate Works at IRL @ UMSL. It has been accepted for inclusion in Dissertations by an authorized administrator of IRL @ UMSL. For more information, please contact [email protected]. Hacks, Cracks, and Crime: An Examination of the Subculture and Social Organization of Computer Hackers by THOMAS J. HOLT M.A., Criminology and Criminal Justice, University of Missouri- St. Louis, 2003 B.A., Criminology and Criminal Justice, University of Missouri- St. Louis, 2000 A DISSERTATION Submitted to the Graduate School of the UNIVERSITY OF MISSOURI- ST. LOUIS In partial Fulfillment of the Requirements for the Degree DOCTOR OF PHILOSOPHY in Criminology and Criminal Justice August, 2005 Advisory Committee Jody Miller, Ph. D. Chairperson Scott H. Decker, Ph. D. G. David Curry, Ph. D. Vicki Sauter, Ph. D. Copyright 2005 by Thomas Jeffrey Holt All Rights Reserved Holt, Thomas, 2005, UMSL, p.
    [Show full text]
  • Software Deployment by GPO the Next Area to Look at Is Software Deployment Gpos
    MCITP 70-622 Exam Cram: Supporting and Troubleshooting Applications on a Associate Publisher Windows Vista® Client for Enterprise Support Technicians David Dusthimer Copyright © 2008 by Que Publishing All rights reserved. No part of this book shall be reproduced, stored in a retrieval sys- Executive Editor tem, or transmitted by any means, electronic, mechanical, photocopying, recording, or Betsy Brown otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every Development Editor precaution has been taken in the preparation of this book, the publisher and authors Box Twelve assume no responsibility for errors or omissions. Nor is any liability assumed for dam- Communications, Inc. ages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-3719-9 Technical Editors ISBN-10: 0-7897-3719-1 Chris Crayton Pawan Bhardwaj Library of Congress Cataloging-in-Publication Data Mancuso, Paul. Managing Editor MCITP 70-622 exam cram / Paul Mancuso, David Miller. Patrick Kanouse p. cm. Project Editor ISBN 978-0-7897-3719-9 (pbk. w/cd) Seth Kerney 1. Electronic data processing personnel—Certification. 2. Microsoft software— Examinations—Study guides. 3. Microsoft Windows (Computer file) I. Miller, David. Copy Editor II. Title. Chuck Hutchinson QA76.3.M3245 2008 005.4’46—dc22 Indexer 2008016537 WordWise Printed in the United States of America Publishing, Inc. First Printing: May 2008 Trademarks Proofreader All terms mentioned in this book that are known to be trademarks or service marks Kathy Ruiz have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information.
    [Show full text]
  • System Policies to Group Policies: Issues, Improvements, and Best Practices, Part 2
    84-02-07 DATA SECURITY MANAGEMENT SYSTEM POLICIES TO GROUP POLICIES: ISSUES, IMPROVEMENTS, AND BEST PRACTICES, PART 2 Melissa Yon INSIDE Dealing with Existing NT4 System Policies; Comparing System Policy to Group Policy; Windows 2000 Clients Without Active Directory, or Active Directory with Downlevel Clients; Group Policy Best Practices INTRODUCTION Part 1 (84-02-06) of this article series discussed the planning and designing of group policies. The goal was to make you aware of Group Policies, how to configure Group Policies, and how to link Group Policies to sites, domains, or organizational units (OUs) so they will be processed. This ar- ticle is a continuation of Part 1 (84-02-06) but addresses issues with clients who already process System Policies, applying a security policy to down- level clients, and best practices when enabling Group Policies on Win- dows 2000 Active Directory. DEALING WITH EXISTING NT4 SYSTEM POLICIES PAYOFF IDEA NT4 System Policies are the precursor If one’s company has never used System Policies, to Windows 2000 Group Policies. In then one is starting with a clean slate. However, if NT4, there are greater than 70 differ- implementing System Policies, there may be sev- eral things in the registry that no longer need to be ent settings through System Policy to a there. You will need to evaluate your environment machine, user, or a NT group of users. and decide if you want to implement Group Poli- While this addition to Windows is a cies over the System Policies, or if you need a very big step in the right direction, it clean install of the operating system before ap- plying Group Policies.
    [Show full text]
  • Windows Server 2008 and Windows Vista Ebook
    ● ● ● ● ● ● ● ● ● ● ● How to access your CD files The print edition of this book includes a CD. To access the CD files, go to http://aka.ms/625143/files, and look for the Downloads tab. Note: Use a desktop web browser, as files may not be accessible from all ereader devices. Questions? Please contact: [email protected] Microsoft Press PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2008 by Derek Melber All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2008920568 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 3 2 1 0 9 8 Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further infor- mation about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to [email protected]. Microsoft, Microsoft Press, Active Desktop, Active Directory, ActiveX, BitLocker, Excel, FrontPage, HotStart, InfoPath, Internet Explorer, NetMeeting, OneNote, Outlook, PowerPoint, SideShow, Visio, Visual Basic, Visual Studio, Windows, Windows Live, Windows Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
    [Show full text]
  • Server Operating System
    Server Operating System ® White Paper Guide to Microsoft® Windows NT® 4.0 Profiles and Policies © 1997 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Microsoft, the BackOffice logo, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other product or company names mentioned herein may be the trademarks of their respective owners. Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA 0997 Abstract This guide provides information and procedures for implementing Microsoft® Windows NT® 4.0 Profiles and Policies on client workstations and servers. A Microsoft Windows NT 4.0 User Profile describes the Windows NT configuration for a specific user, including the user’s environment and preference settings. A System Policy is a set of registry settings that together define the computer resources available to a group of users or an individual. With the addition of System Policies and the new User Profile structure to Windows NT 4.0, network administrators have a greater ability to control the user environment than they have ever had before. This document provides the details that administrators need to know to implement a rollout of User Profiles and System Policies under Windows NT 4.0.
    [Show full text]
  • Your Complete Guide to Configuring a Secure Windows 2000 Network
    181_HPnew_FC 9/20/01 11:51 AM Page 1 1 YEAR UPGRADE BUYER PROTECTION PLAN ™ www.sharexxx.net - free books & magazines Your Complete Guide to Configuring a Secure Windows 2000 Network • Complete Coverage of Internet Information Services (IIS) 5.0 • Hundreds of Configuring & Implementing, Designing & Planning Sidebars, Security Alerts, and FAQs • Complete Coverage of Kerberos, Distributed Security Services, and Public Key Infrastructure Chad Todd Norris L. Johnson, Jr. Technical Editor From the authors of the bestselling HACK PROOFING™ YOUR NETWORK 181_SerSec2e_FM 9/20/01 1:07 PM Page i [email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: I One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. I “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. I Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material.
    [Show full text]
  • Mastering Windows XP Registry
    Mastering Windows XP Registry Peter Hipson Associate Publisher: Joel Fugazzotto Acquisitions and Developmental Editor: Ellen L. Dendy Editor: Anamary Ehlen Production Editor: Elizabeth Campbell Technical Editor: Donald Fuller Electronic Publishing Specialist: Maureen Forys, Happenstance Type-O-Rama Proofreaders: Nanette Duffy, Emily Hsuan, Laurie O'Connell, Yariv Rabinovitch, Nancy Riddiough Book Designer: Maureen Forys, Happenstance Type-O-Rama Indexer: Ted Laux Cover Designer: Design Site Cover Illustrator: Sergie Loobkoff Copyright © 2002 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. The author(s) created reusable code in this publication expressly for reuse by readers. Sybex grants readers limited permission to reuse the code found in this publication or its accompanying CD-ROM so long as the author is attributed in any application containing the reusable code and the code itself is never distributed, posted online by electronic transmission, sold, or commercially exploited as a stand-alone product. Aside from this specific exception concerning reusable code, no part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. First edition copyright © 2000 SYBEX Inc. Library of Congress Card Number: 2002100057 ISBN: 0-7821-2987-0 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Mastering is a trademark of SYBEX Inc. Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved.FullShot is a trademark of Inbit Incorporated.
    [Show full text]
  • A Records, 244–245, 279 -A Switch in Nbtstat, 190 in Netstat, 186 AAS Deployment Package, 710 .Aas Extension, 712 Abstract
    22_InsideWin_Index 13/3/03 9:50 AM Page 1269 Index A A records, 244–245, 279 ACEs (Access Control Entries) -a switch access masks in, 568–570 in Nbtstat, 190 command-line tools for, 572–576 in Netstat, 186 for cumulative permissions, 577 AAS deployment package, 710 for deny permissions, 578 .aas extension, 712 inheritance in, 579–580, 725–728 Abstract classes, 299–300 object ownership in, 572 Accelerated Graphics Port (AGP) adapters, 164 viewing and modifying, 570–571 Access Control Entries. See ACEs (Access ACKs in DHCP, 101–102 Control Entries) ACL Editor, 570, 723 Access control lists (ACLs) Advanced view in Active Directory security, 732–734 for inheritance, 578, 581 objects in, 339 for ownership, 572 in security descriptors, 559 for special permissions, 723–724 Access Control Settings window, 728 Edit view, 725–726 Access masks for permissions inheritance, 578 in ACEs, 568–570 blocking, 579 in DSOs, 733 settings for, 581 Access requests in Kerberos, 621 viewings, 582 Access rights. See also Permissions ACLs (access control lists) in Active Directory security in Active Directory security, 732–734 delegation, 729–732 objects in, 339 types of, 724–725 in security descriptors, 559 for group policies, 682 ACPI (Advanced Configuration and Power Access tokens Interface) contents of, 560–561 compatibility of, 23–28, 148–149 local, 559 kernel version for, 135 SIDs in, 559, 561, 581 for PnP,17, 147–149 ACCM (Asynchronous-Control- ACPIEnable option, 149 Character-Map), 1124 Activation Account domain upgrades, 496–498 in IA64, 130 BDC, 494–496 in installation, 49–50 PDC, 490–493 unattended setup scripts for, 95 Account lockout policies Active Directory, 238 in domain design, 429 bulk imports and exports in, 353–356 in password security, 593–594 DNS deployment in, 242–243 Account logons, auditing, 647 DNS integration in, 238–239 Account management, auditing, 511, 648 dynamic updates, 244–245 Accounts in domain migration.
    [Show full text]
  • Writing Custom ADM Files for System Policy Editor Page 1 of 4
    KB225087 - Writing Custom ADM Files for System Policy Editor Page 1 of 4 Knowledge Base Writing Custom ADM Files for System Policy Editor PSS ID Number: 225087 Article Last Modified on 6/24/2004 The information in this article applies to: Microsoft Windows NT Server 4.0 Terminal Server Edition Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Microsoft Windows NT Server 4.0 Microsoft Windows NT Server, Enterprise Edition 4.0 This article was previously published under Q225087 IMPORTANT : This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry SUMMARY This article is a guide for writing custom ADM files for use with System Policy Editor. System Policy Editor's interface, comprised of all of the books, check boxes, and text boxes you see when you open a computer or user of group policy, is created with a template. The system policy template, or ADM file, is a simple program that instructs System Policy Editor what books, check boxes, and other input controls to present to the administrator. For more information about writing an ADM file for group policy, see the white paper ("Implementing Registry- Based Group Policy") at the following Microsoft Web site: http://www.microsoft.com/WINDOWS2000/techinfo/howitworks/management/rbppaper.asp MORE INFORMATION Templates Specify the Registry Change There are two default templates included when you install Windows NT.
    [Show full text]
  • Guide to Understanding the Group Policy.Pdf
    Step-by-Step Guide to Understanding the Group Policy Feature Set Page 1 of 17 Windows 2000 Server Step-by-Step Guide to Understanding the Group Policy Feature Set Operating System Abstract Group Policy is the central component of the Change and Configuration Management features of the Microsoft® Windows® 2000 operating system. Group Policy specifies settings for groups of users and of computers, including registry-based policy settings, security settings, software installation, scripts (computer startup and shutdown, and log on and log off), and folder redirection. This paper is a technical step-by-step guide of the capabilities of Group Policy. It is intended for IT managers, system administrators, and others who are interested in using Group Policy to manage users' desktop environments. Introduction This document is part of a set of step-by-step guides that introduce IT managers and system administrators to the features of the Windows 2000® operating system. This document presents a brief overview of Group Policy, and shows how to use the Group Policy snap-in to specify policy settings for groups of users and of computers. It includes information on: l Configuring the Group Policy snap-in. l Creating and managing Group Policy objects. l Setting options for registry-based policy, scripts, and loopback policy. l Using security groups with Group Policy. l Linking multiple Group Policy Objects. l Blocking and enforcing Group Policy. Group Policy and the Active Directory In Windows 2000, administrators use Group Policy to enhance and control users' desktops. To simplify the process, administrators can create a specific desktop configuration that is applied to groups of users and computers.
    [Show full text]
  • Windows Powertoys FAQ
    Windows PowerToys FAQ Home > Articles > Here Windows PowerToys FAQ for Windows 95, 98, ME, 2000 & XP Version 9.0, Updated August 5, 2005 Hold mouse here for list of most recent changes. Receive notice whenever this page is updated. What are the Windows PowerToys? Original Windows PowerToys The original Windows PowerToys are extra goodies that simply should have been part of Windows 95 at the beginning. The designers of the Windows 95 shell wrote them for their own use initially, and later were permitted to post them as free, unsupported add-ons (which work very well despite the official “unsupported” stance). For several years, I have thought of them simply as indispensable parts of a standard Windows install. Mostly, these original PowerToys work very well not only in Windows 95, but also in Windows 98, Windows Millennium Edition (ME), and Windows XP. This FAQ explains which ones do and do not work in each of these versions of Windows. Windows XP PowerToys Microsoft has released an entirely new set of PowerToys custom created for Windows XP, including TweakUI 2.0 (which, in this FAQ, I’ll simply call “TweakUI XP”). This is the first new issue of a PowerToys set since Windows 95. With only a couple of exceptions, these tools do not at all duplicate the original Win95 PowerToys. This means that most of the original Win95 PowerToy set is also still very useful and desirable on Win XP in addition to the new XP PowerToys. Where can I get the Windows PowerToys? Original Windows PowerToys Here is the direct Microsoft link to the original PowerToys.
    [Show full text]